LEGAL COMPLIANCE REGARDING COMMERCIAL ELECTRONIC COMMUNICATIONS
İçindekiler
ToggleBACKGROUND
The Law No. 6563 on Regulation of Electronic Commerce (the “Law”) entered into force on May 1st 2015, introduced provisions concerning e-commerce and commercial electronic communications. The Regulation on Commercial Communication and Commercial Electronic Messages (the “Regulation”) that came into force on July 15th 2015 regarding the procedures and principles of the Law, regulated the content of commercial electronic communication, approvals/consents to be received from recipients, right to refuse and exceptions to the obligation to receive approval. After all, Amendment to the Regulation on Commercial Communication and Commercial Electronic Communications (“Amendment Regulation”) (together “Legislation”) defines a system “Commercial Electronic Communication Management System” (İleti Yönetim Sistemi as “IYS”) to operate and execute the procedures relating to the approval, rejection and complaint of commercial e-communications.
The most important regulation introduced as part of the Legislation is the decision of establishment of
IYS by the Ministry of Trade (the “Ministry”). IYS which is owned by İleti Yonetim Sistemi A.Ş. (joint-stock company) on behalf of The Union of Chambers and Commodity Exchanges of Turkey (Türkiye Odalar ve Borsalar Birliği – TOBB) provides the following:
- The elimination of grievances, such as the difficulty of determining to which firms the consent was given for the commercial electronic communications and requirement to contact each service provider individually to cancel the consent given by the recipient,
- Service providers can now collect recipients’ approvals needed in order to be able send commercial electronic communications to recipients with the system,
- The existing approvals can be stored securely within the system,
- Complaints can easily be made by recipients, along with rejection and approval procedures,
- The government can display the status of message complaints and the subject of the complaint.
All natural and legal persons who wish to send commercial electronic communications have an obligation to register with IYS as per the new provision added to the Article 5 of the Regulation by the Article 4 of the Amendment Regulation. Registrations to IYS can be made in the following schedule:
- As of January 2020, IYS registration applications is available for service providers;
- As of June 2020, service providers can have access to IYS platform;
- November 30th, 2020 was the last day to transfer the approvals received by the service providers in accordance with the regulation to IYS. Approvals that have not been submitted into IYS until this date will not be considered valid and commercial electronic communications will not be sent to the recipients who have not given approval. Recipients will be notified that their approval has been uploaded to IYS and recipients will be able to use their right to refuse from this date. Also, IYS will be opened for recipients (citizens) on that date.
- January 16th, 2021 was the deadline for recipients who can access to IYS to make a refuse notification regarding their approval within IYS. Recipients who do not exercise their right to refuse until this date will be accepted as they approved. In the messages to be sent after this time, it is made compulsory to check the consent of the recipient from IYS.
NEWSBREAK: UPDATE of NOV 30th ABOUT DEADLINES BY THE MINISTRY |
Further to the amendments to the Regulation published in the Official Gazette on August 28, 2020, the deadline for the transfer of consents to the IYS; |
v Has extended to December 31st, 2020, with respect to service providers which have more than 150.000 approved data. In this regard, recipients of these electronic messages should review and accept or revoke their consents registered with the İYS until February 15th, 2021. After this date, commercial electronic messages sent will be considered as sent based on a valid consent. |
v Has extended to May 31st, 2021, with respect to service providers which have less than 150.000 approved data. In this regard, recipients of these electronic messages should review and accept or revoke their consents registered with the İYS until July 15th, 2021. After this date, commercial electronic messages sent will be considered as sent based on a valid consent. |
NOTE: In this memo, answers are fictionalised in reference to deadline of November 30th, 2020. Simon-Kucher & Pertners may attention to deadlines according to December 31st, 2020 or May 31st, 2021 key to its approved data number.
SECTION 1 – DEADLINE on 1st of DECEMBER
What are the implications and consequences if Simon-Kucher & Partners have not uploaded their CRM data to the iYS servers by December 1st?
The recipient approvals that the service providers did not register with IYS until November 30th, 2020 will be considered invalid. Therefore, after this date, service providers will not be able to send commercial electronic communications to those recipients without obtaining a new confirmation. If the service provider sends a commercial electronic message to the recipient even though it has not received consent from the recipient or has not sent this consent to IYS, the recipients can file a complaint within 3 months. In the event of violation of the Law and Legislation has been decided, an administrative fine will be imposed on the service provider within the framework of Article 12 of the Law. Administrative fines will be paid within 1 month from the date of notification according to the Subclause 2 of the Article 17 of the Regulation.
Service providers not registered to the IYS cannot upload their permissions to the IYS. E-Commerce Law and the Regulation states that permissions not uploaded to the IYS shall be deemed invalid. Therefore, existing and future permissions shall be invalid (due to not being uploaded to the IYS). Consequently, sending commercial electronic messages without valid permission shall constitute a violation of E-Commerce Law and the Regulation and may result in administrative fines from 1,899 up to 9,514 Turkish Liras. If service provider sends commercial electronic messages without permission to multiple recipients at once, relevant administrative fines shall be calculated up to 10 times of the relevant amount. Additionally, failure to cease sending messages to a recipient who has opted-out within 3 working days (which may occur due to not checking the permission status of the recipient from the IYS) may result in administrative fines from 3,799 up to 28,544 Turkish Liras.
Do we face a possible fine for not doing it, even if we do not send out any e-marketing communication after that date?
If Simon-Kucher & Partners will not send out any e-marketing communication to its portfolio after November 30th, 2020, there will not any possible fine at all. IYS works only for the service providers which operate e-marketing channels.
Are we no longer able to send e-marketing communication to those contacts?
Yes, the recipient approvals that the service providers did not register with IYS until November 30th, 2020 will be considered invalid. It is not possible to send those contacts after the date. Even if the sending happens, it will be against the legislation.
Will it (still) be possible to upload data after December 1st if we miss to upload the data by December 1st?
Yes, system of the IYS will always open for service providers which requested data upload.
SECTION 2 – SCOPE OF THE LAW
Which types of communication channels are in scope of the law?
According to the Regulation, commercial electronic messages are defined as messages containing data, audio or visual content, transmitted electronically for “commercial purposes”, by making use of mediums such as telephone, call centers, fax, automated calling machines, smart voice recording systems, e-mail and short message services.
In other words, commercial electronic messages are e-mails, SMS and phone calls sent/made to the recipients by the service providers to promote, advertise and/or remind their business/products/services. This promotional intention is interpreted broadly. For example, birthday messages or holiday greetings are considered sent with commercial intent as they increase brand value and loyalty in the eyes of the recipient.
Pursuant to the Ministry of Trade’s non-binding interpretation, push notifications and in-app ads are not within the scope of the Regulation/ commercial electronic messages legislation. However, it should be noted that push notifications and in-app ads are not explicitly excluded from the application of the Regulation.
Following message types are not within the scope of the Regulation;
- Commercial electronic messages sent by operators within the scope of Electronic Communication Law numbered 5809 and dated 5/11/2008 to exclusively promote and market their own products and services or their business to their subscribers and users,
- Messages sent by foundation universities and other private education and training institutions to their students and their parents,
- Messages sent by public occupational organizations, associations that are beneficial to the public and tax-exempt foundations to their members regarding the activities of their own commercial businesses,
- Information messages regarding broadcasting services made by radio and television broadcasting organizations in order to inform and educate the public in accordance with the provisions of the Law on the Establishment of Radio and Television Enterprises and Their Media Services numbered 6112 and dated 15/2/2011,
- Messages sent by the government, local administrations, and other public legal entities to inform the public.
- Messages sent via physical means e.g. messages sent via courier.
We would like to better understand what is considered commercial communication (content wise).
Is for example a single email to a specific contact including an invitation for an event already commercial communication and in scope of the law?
These types of commercial communications must be evaluated according to the “content” and “nature” of the communication. Single email to a specific contact including an invitation for an event already commercial communication will evaluated in scope of the legislation. Even though companies are benefiting from the exemption foreseen for merchants/craftsmen and do not necessitate prior opt-in, service providers are still under the obligation to register to the IYS and upload the recipient’s communication addresses to the IYS before sending commercial electronic messages.
Is the scope of the law limited to “mass emailings” with commercial communications?
No. Any type of communications which have matter of adjuvant reputation are in scope.
Does the law also apply, if a Turkish company addresses persons who are located outside of Turkey (e.g. Europe)?
In principle, no. But communication activities are conducted from Turkey and touching in jurisdiction of Turkey. Only from this sense of contact is seem in scope of-about the legislation. On the other hand, there is a slight possibility to apply the legislation to these cases.
Does the law also apply if a company outside of Turkey addresses persons who are located in Turkey?
Yes. With respect to the service providers located abroad, Ileti Yönetim Sistemi A.Ş. (entity conducting IYS operations) has clarified this issue, on their official website as follows;
“It is considered that real persons or legal entities, whether located in Turkey or abroad, who wish to send commercial electronic message must comply with the legislation and register to IYS. Accordingly, entities not located in Turkey but sending commercial electronic messages to recipients in Turkey must send their apostilled commercial activity certificate and authorization certificate of the authorized person for the registration to bilgi@iys.org.tr. Same documents must be sent to the central office address of Ileti Yönetim Sistemi A.Ş. via post.”
Therefore, entities located abroad, who send commercial electronic message to the recipients in Turkey, are indeed under the obligation to register to the IYS and to comply with the Regulation’s requirements accordingly.
Does the law apply to communication to Turkish citizens without regard where they are located?
No. Service providers residing in Turkey or abroad, wishing to send electronic commercial messages to the recipients located in Turkey and the intermediary service providers who initiate the commercial electronic message transmission at the service provider’s instructions are within the scope of the Regulation.
We assume that we can still send communication which is necessary in order to fulfill contracts or legal obligations as we assume that such communication is not in scope of the law. We appreciate if you can confirm this.
Confirmed; communications which are necessary in order to fulfill contracts or legal obligations are not in scope of the law. Only in such cases like sending for promotion, advertising and/or reminding their business/products/services, (please note that; this promotional intention is interpreted broadly) are in scope of the law even recipients are already in contact or portfolio which not to need any explicit consent.
SECTION 3 – REQUIREMENTS FOR VALID CONSENT
Pursuant to Article 6 of the Law, it is compulsory that the consent of recipients is obtained to send commercial electronic messages. According to the Amendment Regulation, all approvals must be registered with IYS. Service providers must register the consent obtained from recipients with IYS within 3 business days. Otherwise, the approval will be void. The approval received will be valid until and unless it is rejected by the recipient.
Do all of the e-marketing activities in scope of the law require explicit consent by the data subjects?
As the general rule, in order to send commercial electronic messages, permission of the recipient should be obtained. Since the Regulation does not foresee a soft opt-in regime, service providers must obtain such recipients’ permission in advance and in accordance with the Regulation and relevant legislation. Regulation also defines certain exceptions for electronic messages which do not require permission;
- Commercial electronic messages sent to merchants and craftsmen. Therefore, if the recipient is a merchant/craftsman, service providers are not obliged to obtain permission to send commercial electronic messages (until/if opted-out).
- Electronic messages regarding change, use or maintenance of the provided product/service where the recipient has provided her/his contact information for communication.
- Messages including notifications on ongoing subscription, membership or affiliate status, as well as collection, debt reminder, update information, purchase and delivery or similar occasions.
- Commercial electronic messages sent to customers by brokerage firms in accordance with the legislation on the capital market.
What are the requirements for valid consent according to Turkish law? Does it have to be in writing?
Another critical issue in commercial electronic messages is that the approvals received from the recipient should meet the requirements. If the approval received from the recipient does not meet the necessary conditions, it will be deemed invalid and the criminal liabilities listed in Article 12 of the Law may be charged to the service provider. Therefore, it is important that the approvals received from the recipient comply with Article 7 of the Regulation. According to the Article, “approval may be obtained in writing or by any means of electronic communication or via IYS”. An approval should include the followings:
- Affirmative declaration of acceptance that the recipient agrees to receive commercial electronic communication;
- Name and surname of the recipient;
- Electronic contact address of the recipient;
- Signature of the recipient (provided that the approval has been obtained in the physical environment).
Additionally pursuant to Article 8 of the Law and Article 9 of the Regulation, the recipient may refuse to receive commercial electronic communications and void his/her prior approval. In addition, in accordance with Article 8 of the Law and Article 9(4) of the Regulation, right to opt-out should be granted to the recipient in every message sent by the service providers. Therefore, every commercial electronic message without right to opt-out will be against the Law and the Regulation.
Will it be possible to obtain valid consent directly from the data subject or do we need to obtain consent over the iYS in the future?
Yes. It will always be possible to obtain valid consent directly from the data subject. But after the IYS has come into life, it is mandatory to transfer that consent to the IYS.
From what we learned so far, we need to be able to prove that a valid consent is in place. If consent is not obtained in writing, what other methods are accepted in Turkey in order to prove that valid consent is in place? Do we need to use the “Double Opt-In” method in order to get consent for email marketing?
No, there’s no requirement under KVKK or e-commerce legislation to have a double opt-in process. Yet, it’s considered best practice in many countries, especially in the EU in general. With this method, you can ensure the email address receiving your communication actually belongs to the person giving the consent and hereby further ensure that you avoid high unsubscribe rates, retain the integrity of your list and the reputation of your address. If consent is not obtained in writing, it can be obtained from electronic or dijital platform that enables registry of access logs. For example, to collect consent upon subscription, you have to add checkbox fields with consent clauses and a link to your privacy policy or other data protection declarations to your forms.
Consent of existing contacts: we are thinking about “updating” existing consents for existing contacts, informing them that if they want to receive e-marketing material from us in the future, we have to upload their data to the iYS servers. If this was not necessary for existing consents.
This procedure is applicable, actually. But we can not say that the risk has gone entirely. Because, after the Law no. 6698, Personal Data Protection Law in Turkey (“KVKK”) has come into force fully April 7th, 2018, personal datas which have processed without valid consent, have assumed as legal. To execute this procedure may drew attention in these days. In other words, this procedure should have been carried out in 2018. According to KVKK, explicit consent is must for operating e-marketing communication specifically for the natural persons who is known as end user. This phase should be executed with an information and explicit consent declaration.
Consent for future contacts: we are planning to inform the data subjects about the fact that we have to upload their data to the iYS servers, if they ask us to send e-marketing communication.
This will be the right way, indeed. As mentioned above, explicit consent is must for operating e-marketing communication specifically for the natural persons who is known as end user. This phase should be executed with an information and explicit consent declaration. This consent must be given during the first contact with that natural person.
We will need your assistance in order to setup the updated consent texts.
Surely, in accordance with Article 8 of the Regulation, the content of the commercial electronic communications must be complied to the approval received from the recipient. The commercial electronic message must include:
- Information (MERSIS number, address etc.) about the sender on the subject (title) or content of the communication.
- Accessible contact information such as phone number, fax number, SMS number or email address which will allow the recipient to reach the service provider.
- Unless it is clearly understood from the content, a statement indicating that the message is of a promotional or commercial nature.
Again, pursuant to Article 8 of the Law and Article 9 of the Regulation, the recipient may refuse to receive commercial electronic communications and void his/her prior approval. In addition, in accordance with Article 8 of the Law and Article 9(4) of the Regulation, right to opt-out should be granted to the recipient in every message sent by the service providers. Therefore, every commercial electronic message without right to opt-out will be against the Law and the Regulation.
CONCLUSION IN GENERAL:
COMPLIANCE WITH COMMERCIAL ELECTRONIC COMMUNICATIONS WITH IYS
After complying with obligations to register and to upload above-explained databases to the IYS, an obligation to check the permission status of the recipients over the IYS shall continue perpetually. In addition to these obligations, service providers must comply with the following;
- Permissions received by a method other than IYS will have to be reported to the IYS within three working days. Please note that permissions that are not reported to the IYS within this period will be considered as invalid.
- Service providers shall also notify the opt-outs to the IYS within three working days.
- Commercial electronic messages must include certain elements and information as defined under the Regulation (including information on the service provider and an option to opt-out as further regulated).
- While the following messages do not require prior permission of the recipient, when service provider is sending messages based on these exceptions, service providers shall notify the intermediary service provider regarding which exception that they are relying on when they are sending messages without prior permission;
- Electronic messages regarding change, use or maintenance of the provided product/service where the recipient has provided her/his contact information for communication,
- Messages including notifications on ongoing subscription, membership or affiliate status, as well as collection, debt reminder, update information, purchase and delivery or similar occasions,
- Commercial electronic messages sent to customers by brokerage firms in accordance with the legislation on the capital market.
- Complaints regarding commercial electronic messages can be made through the IYS. In addition to complaints that can be made through the e-Devlet (turkiye.gov.tr), the website of the Ministry of Trade and the provincial directorate at the place of residence of the complainant, the recipients can also report their complaints through the IYS.
- Permission records must be retained starting from the date of expiration of validity of permission and other records regarding delivery of message must be retained (starting from the date of record) for three years.
Best Regards,
- The consent exemption for merchants and craftsmen on commercial electronic messages can be explained as follows: According to the legislations in Turkey “people who run a commercial business as a whole or even partially on others behalf, is called merchants and craftsmen. Although there are some points that differentiate merchants comparing to craftsmen in technical or financial terms, these definitional and intellectual distinctions are not of significant in terms of commercial electronic message delivery. Accordingly, as it can be stipulated, companies and institutions that are legal entities will also be considered as merchants and craftsmen.
In practice, especially if it is considered that the commercial electronic message delivery is operated via SMS and e-mail; the distinction between merchants-craftsmen and others can be easily figured out through corporate company line (cell number) and corporate e-mail account. Such that; commercial electronic messages sent to merchants and craftsmen via corporate e-mail account or corporate lines will be accepted within the scope of hereby article. For example, addresses such as xyz@abc-limitedliabilitycompany.com / xyz@abc-corporate.com / xyz@abc-joint-stock-company.com are accepted as corporate e-mail accounts and consent is not required for commercial electronic messages sent to these addresses. However, if commercial electronic messages are sent to the private hotmail-gmail-outlook etc. accounts of the same person, then consent requirement will be a cuurent issue at the top of the agenda. The same distinction applies to company lines and private phone numbers. Stated in other words, when it comes to corporate matter, data subject is disappeared. On the other hand, if there is an individual relation, data subject exists originally.
In this sense, our advice is to wisely cease delivering commercial electronic messages to non- corporate contacts whose consents are not provided; by filtering the individual-private e-mail accounts and personal phone numbers on the supplier or customer lists.
- Commercial electronic messages sent to merchants and craftsmen must have the identical qualifications as individuals. There is not any significant update in this context. So, the commercial electronic message must include:
- Information (MERSIS number, address etc.) about the sender on the subject (title) or content of the communication and informing the right of refusal.
- Accessible contact information such as phone number, fax number, SMS number or email address which will allow the recipient to reach the service provider.
- Unless it is clearly understood from the content, a statement indicating that the message is of a promotional or commercial nature.
However, it should be crucially kept in mind that; if the right of refusal on the delivery of commercial electronic messages is used by merchants and craftsmen, explicit consent must be obtained from the merchants and tradesmen regarding the re-submission, despite thefact that it is covered by the exception.